Field
Embodiments presented herein generally relate to techniques for generating network whitelists, and more specifically, to techniques for automating construction of network whitelists in server endpoints using host-based security controls.
Description of the Related Art
Computer networks continue to expand and users can access applications and data from virtually anywhere using a variety of computing devices (e.g., laptops, tablets, mobile telephones, etc.). As a result, enterprises (e.g., individuals, organizations, companies, etc.) find it increasingly difficult to prevent malicious actors from gaining access to a network, capturing sensitive information, and transferring the sensitive information from the network. For example, malicious actors often attempt to exploit system vulnerabilities, employ compromised credentials issued to authorized users, perform SQL injections, and use targeted malware (e.g., root kits, spyware, remote access tools, etc.) to access a given enterprise network. Thus, even with extensive defenses focused on preventing network intrusion, enterprises still face network breaches based on a variety of sophisticated hacking techniques. Once a network breach has occurred, malicious actors typically attempt to spread the malware to other systems and devices, collect sensitive information, and transfer the sensitive information from the network (e.g., to use for exploitative purposes), etc.
Further, enterprises today increasingly use cloud-based services to run applications and store data. Cloud-based computing services can provide a number of benefits to enterprises, including flexibility, reliability, low capitalization requirements, add-on services, data sharing, and centralized access to data. For example, organizations can quickly create or modify cloud-based computing instances on an as-needed basis to execute applications.
Currently, many of the tools used to prevent data exfiltration (e.g., the unauthorized transfer of data from a network) focus on monitoring network traffic, e.g., with the use of network-based security controls. These network-based security controls, however, are generally not available to an enterprise that uses cloud-based services to run applications, store data, etc. For example, enterprises generally do not have access or control over the physical hardware or network in cloud-based environments to implement network security controls.